Recently, the creator of the malware families CypherRAT and CraxsRAT has been revealed to be a Syrian threat actor known as EVLF.
These RATs are designed to allow attackers to remotely perform real-time operations and control a victim's device's camera, location, and microphone, cybersecurity firm Cyfirma said in a report published last week.
CypherRAT and CraxsRAT are said to be offered to other cybercriminals as part of a malware-as-a-service (MaaS) program. Over the past three years, as many as 100 unique threat actors have purchased both tools on a lifetime license basis.
According to the investigation, EVLF has been operating an online store and advertising the malware it created since at least September 2022.
CraxsRAT claims to be an Android Trojan horse program that allows threat actors to remotely control infected devices from Windows computers. The developer will continue to release new updated versions for use based on customer feedback.
The malicious package is generated through a generator that provides options such as customizing and obfuscating the payload, choosing icons, app names, and features and permissions that need to be activated after installation on the smartphone.
Cyfirma explains: CraxsRAT is one of the most dangerous RATs among current Android threats, with powerful features such as Google Play protection bypass, real-time screen view, and a shell for command execution.
The Super Mod feature makes the app even more lethal, making it difficult for the victim to uninstall the app, crashing the page every time the victim tries to do so.
The Android malware asks victims to grant it access to Android services in order to obtain a wealth of information valuable to cybercriminals, including call logs, contacts, external storage, location, and text messages.
EVLF was observed to operate a Telegram channel called "EVLF Devz", which was created on February 17, 2022. As of press time, the channel has 10,678 subscribers.
A GitHub search for CraxsRAT turns up numerous cracked versions of the malware, though Microsoft appears to have removed some of them in the past few days. However, EVLF's GitHub account is still active on the code hosting service.
On August 23, 2023, EVLF announced on the channel that they will suspend the project.
EVLF said in the post: Due to the pressure of life, he will stop developing and publishing in the future. But the customer need not worry, several patches will be released for the user before he goes away for his subsequent use.